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(57) ABSTRACT 

A shared memory blocking method and particularly appli- 
cable to a system in which protected data is transmitted to a 
recipient computer. The method comprises reserving a 
memory page for a requesting application, committing a 
memory page to the requesting application's address space, 
which call may be made by the process providing the page 
reserve call or by a subsequent process, and providing 
security checks to complete the requests. The security 
checks include determining whether the process is secured 
by consulting a secured process list and determining whether 
the page is shared by consulting a shared memory Ust. 
Fxirthcr disclosed are a computer readable medium and 
computer programmed to block shared memory, shared 
memory blocking system and secured data transmission 
system. 
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SHARED MEMORY BLOCKING METHOD 
AND SYSTEM 

This application claims the benefit of Provisional appli- 
caUon Ser. No. 60/157,472, filed Oct. 1, 1999. 

FIELD OF THE INVENTION 

The invention relates to the protection of data stored in a 
computer, and more particularly to data which has been 
imported from an outside source. 

BACKGROUND OF THE INVENTION 

Shared memory may be used to communicate between 
two or more concurrently running jobs or threads. One 
program creates a memory segment which other processes 
may access. 

Shared memory may be exploited for leaking data. "Leak- 
ing data" as used herein means transferring data out of a 
system in which it is desired to have the data secured. A data 
leak may occur if a process writes information to a shared 
memory location and another process accesses the informa- 
tion from that location. 

It is known to lock shared memory, usually to avoid 
processes accessing data out of sequence to ensure use of 
only updated shared data. Access to shared memory space is 
prohibited during use by a first process and thereafter 
unlocked to allow processes sharing the space access to 
updated data. Memory locking as known in the art is not a 
solution to data leakage. Accordingly, where data security is 
important, there is a need to limit data leakage from shared 
memory. 

SUMMARY OF THE INVENTION 

The invention discloses a shared memory blocking 
method particularly applicable to a system in which pro- 
tected data is transmitted to a recipient computer. An illus- 
trative embodiment of the invention comprises reserving a 
memory page for a requesting application, committing a 
memory page to the requesting application's address space, 
which call may be made by the process providing the page 
reserve call or by a subsequent process, and providing 
security checks to complete the requests. The security 
checks may include determining whether the process is 
secured by consulting a secured process list and determining 
whether the page is shared by consulting a shared memory 
list. 

Further disclosed are a shared memory blocking system, 
secured data transmission system, computer readable- 
medium programmed to block shared memory and computer 
configured to block shared memory. 

DESCRIPTION OF THE DRAWINGS 

The invention is best understood from the following 
detailed description when read with the accompanying fig- 
ures. 

FIG. 1 is a block diagram of a portion of a secured data 
transmission system according to an illustrative embodiment 
of the invention. 

FIGS. 2A-D are flow charts of a shared memory blocking 
method according to an illustrative embodiment of the 
invention. 

DETAILED DESCRIPTION OF THE 
INVENTION 

The invention disclosed may prohibit processes with 
shared pages from accessing secured data. The terms "infor- 
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mation^' and "data" as used herein are each intended to 
include the broadest definition of the other, and each include 
text, audio and video data. By way of further example, the 
term "information" can mean raw data, processed data, or a 

5 combination of raw and processed data. Blocking processes 
from sharing pages may reduce or eliminate data leakage 
from shared memory. Embodiments of the invention 
includes a security check before a process is allowed to open 
a secured data file. The security check may comprise ascer- 
taining the shared memory state of the process and deter- 
mining whether the process is on a secured process hst. 

The shared memory blocking process may be broken 
down into two primary parts. The first part comprises 
hooking service calls, including reserve, commit and free 
calls, used to collect data. The second part includes using 
data to govem access to secured data. 

The shared memory blocking of the present invention is 
best described as it may be implemented in a secured data 
transmission system. An illustrative example of such as 

2Q system comprises two main components, a data packager 
and a receiver. The packager is used to create packages that 
carry file content to target recipients. The receiver runs on a 
recipient computer to allow access to packaged file content. 
FIG. 1 depicts an illustrative computer system 100 

25 according to an embodiment of the invention. A registry 
entry guard driver 120 is in communication with file system 
hook driver 140. Both drivers exist on the kernel (ring O) 
level 130. Applications 160 run on higher levels 150. When 
applications 160 request access to shared memory 110, 

30 guard driver 120 in conjunction with hook driver 140 
monitors and handle the requests. 

A package carries data and provides associated informa- 
tion to a command center which is a component of an 
application programming interface, such as a Win32 pro- 

35 cess. A communication driver handles communication 
between the application programming interface and a plu- 
rality of device drivers. It provides a single set of device 
driver I/O control functions that are called from the apph- 
cation programming interface to send information to or 

40 retrieve information from the device drivers. The commu- 
nication driver is called by a hook driver to notify the 
command center that a process is trying to open a packaged 
file. The device drivers, together with the application pro- 
gramming interface, marshal the packaged content into a 

45 vault and support access to the content, subject to an 
originator's permission selection. The command center may 
watch for packages to be executed and prompt users for file 
names to save a package payload. It may notify the file 
system hook driver that a package payload should be 

50 absorbed into the vault. It may present users with dialog 
indicating that an application is attempting to open a pack- 
aged file. It may also notify device drivers 160 when 
applications exit. Hie command center may block cUpboard 
access and terminate applications at the request of a per- 

55 missions device driver when permissions expire. Permission 
information is contained in a database and may include, for 
example, file names, package ID, file system ID and file 
permissions. File permissions may include, but are not 
limited to, length of time or number of times a file may be 

60 open, date after which a file may no longer be opened, and 
printing and clipboard permissions. 

File system hook driver 140 obtains a data request initi- 
ated from a user who is looking to access a packaged or 
absorbed file. When hook driver 140 receives the requests it 

65 performs a security check on the process and then queries 
the user. The process is then added to a secured process list 
and future access is blocked. 
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Following is an illustrative embodiment of the invention. list. Completing steps 414 and 416 completes a security 

Those skilled in the art will understand that variations on the check as shown in step 418. 

shared memory blocking that include security checks to A further illustrative embodiment of the invention is 
determine whether processes are secured and whether pages directed to a shared memory blocking system wherein the 
are shared are equivalent to the steps described herein, and 5 system blocks memory according to methods provided 
thus, are within the spirit and scope of the invention. The herein. The illustrative shared memory blocking system 
illustrative embodiment of shared memory blocking is embodiment comprises an applications programming inter- 
depicted in FIGS. 2A-D. FIG. 2 A is a flow chart of an face to marshal one or more packaged files into a secured 
exemplary page reserve call filtering sequence. The reserve vault and support file content access. The applications 
call reserves a page of memory for a requesting application, programming interface includes a command center to moni- 
The filtering sequence begins by providing the call in step tor package access. A file system hook driver is in commu- 
302. The call is then filtered by first determining whether the nication with the command center and with a registry entry 
page can be shared based on request parameters in step 304. guard driver to carry out shared memory blocking. 
If the page cannot be shared the request is allowed to be Further disclosed is a secured data transmission system 
completed in step 306 thereby successfully filtering the call 15 having a receiver component to access secured file content 
in step 309. If the page can be shared, the reserve call is provided by a sender, wherein the receiver includes a shared 
tracked in step 308 by creating a record and entering the memory blocking system. 

record into a shared memory list thereby filtering the call in s^ill further disclosed are a computer configured to block 

step 309. The record may include a process ID, page number shared memory and a computer-readable medium pro- 

and share count. FIG, 2B depicts an exemplary sequence for 20 grammed to block shared memory, both according to meth- 

filtering a page commit call. The page commit call is provided herein. The terms "computer" or "computer 

provided to commit the memory page for the requesting system^' as used herein include any device capable of 

process or for a subsequent requesting process in step 310. transmitting information including, without Hmitation, a 

In step 312 it is detennined, by accessing the shared memory personal computer, such as a laptop, palm PC, desktop or 

list, if the page is shared by another process. If the page is 25 workstation, a network server, a mainframe, an electronic 

shared, it is determined whether either of the sharmg pro- wireless device, such as for example, a telephone, 

cesses are secured in step 314 by accessmg a secured process ^ interactive television or electronic box attached to a 

list. The secured process list is created by continuaUy television, such as for example, a television adapted to be 

compiUng records produced when a user attempts to open a connected to the Internet, a cellular or mobUe telephone, a 

protected file. If either process is secured, page shanhg IS not 30 personal digital assistant, an electronic pager, and a digital 

allowed as shown in step 316, and the commit call is ^^tch. In an illustrative example information is transmitted 

successfully filtered in step 318. If both processes are not q£ e-mail 

seaired, a new shared memory record is created ia step 320, ^^j^ invention has been described by illustrative 

and the shared memory hst is updated with information embodiments, additional advantages and modifications will 

contained m the new record in step 322 The share count is 35 occur to those skilled in the art. Therefore, the invention in 

also updated for any processes sharing the page^ broader aspects is not limited to specific details shown 

Accordingly, the caU is successfully filtered m step 318. If described herein. ModiflcaUons may be made without 

the page is not shared, the commit request is completed m departing from the spirit and scope of the inveption. 

step 324 and hence successMly filtered m step 318. Hie Accordingly, it is intended that the invention not be limited 

committed application is then performed. 40 ^^^^^ iUustrative embodiments but be interpreted 

FIG. 2C depicts an iUustrative filtering sequence for a ^,j„„ ,i,c fou spirit and scope of the appended claims and 

page free calL The page free call may be used to free the equivalents 

memory page of some or all address spaces. The call is What is claimed is- 

provided in step 326. In step 328 it is determined whether the j ^ shared memory blocking method comprising; 

process is secured by checking the secured process list. If the 4s providing a call to reserve a memory page for a requesting 

process is secured, the page is overwritten to delete secured oroce^* 

data in step 330, and all records in the shared memory list ^.^ . ^/ j- ^ ^ ^i. 

^ ' ^, filtering the reserve call according to whether the page can 

with a page number the same as the overwntten page are shared' 

deleted in step 332. If the process is not secured all records ■ ' „ ■ , ^ , 

from the shared memory list with a page number corre- so P^^iding a call to commit the memory page for the 

sponding to the unsecured process page are also deleted in requesting process or for a subsequent requestmg pro- 

step 332. Once pages are deleted, the page free call is 

successfully filtered in step 334. filtering the commit call according to whether the page 

Before a process is allowed to open packaged data via the ^^ared and whether the process can be secured; 

hook driver, a security check is performed to determine the 55 wherein filtenng the reserve call comprises: 

sharedmemory state of the process, and hence, to determine determining whether the page can be shared based on 

whether access to the process should be granted. No process request parameters; and 

with shared pages is allowed to access packaged data. FIG. if the page cannot be shared, allowing the request to be 

2D is a flow chart of a shared memory state security check. completed; or if the page can be shared, tracking the 

In step 410 the security check is initiated. In step 412 it is 60 reserve call by creating a record and entering the record 

determined whether the process has any pages with a share into a shared memory list. 

count greater than zero. If the process has any pages with a 2. The method of claim 1 wherein the record includes a 

share count greater than zero the process fails the security process ID, page number and share count, 

check and access is denied to the process in step 414. If the 3. The method of claim 1 wherein filtering the commit call 

process does not have any shared pages with a shared count 65 comprises: 

greater than zero then in step 416 access to the secured data determining, by accessing a shared memory list, if the 

is granted and the process is added to the secured process page is shared by another process; 
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if the page is shared, determining whether either of the 
sharing processes are secured by accessing a secured 
process list; and 
if either process is secured, disallowing page sharing; or 
if both processes are not secured, creating a new shared 
memory record, updating the share count for processes 
sharing the page and updating the shared memory list 
with information contained in the new record; or if the 
page is not shared, completing the commit request 

4. The method of claim 3 wherein the record includes a 
process ID, page number and share count. 

5. The method of claim 1 further comprising: 
providing a call to free the memory page of all address 

spaces; 

determining whether the process is secured by checking a 

secured process list; and 
if the process is secured, overwriting the page to delete 

secured data, and deleting all records in the shared 

memory list with a page number the same as the 

overwritten page; or 
if the process is not secured deleting all records from a 

shared memory list with a page number corresponding 

to the unsecured process page. 

6. A shared memory blocking system wherein the system 
blocks shared memory by a method comprising: 

providing a call to reserve a memory page for a requesting 
process; 

filtering the reserve call according to whether the page can 
be shared; 

providing a call to commit the memory page for the 
requesting process or for a subsequent requesting pro- 
cess; 

filtering the commit call according to whether the page 
can be shared and whether the process can be secured; 

wherein filtering the commit call comprises: 

determining, by accessing a shared memory list, if the 
page is shared by another process; 

if the page is shared, determining whether either of the 
sharing processes are secured by accessing a secured 
process list; and 

if either process is secured, disallowing page sharing; or 

if both processes are not secured, creating a new shared 
memory record, updating the share count for processes 
sharing the page and updating the shared memory list 
with information contained in the new record; or 

if the page is not shared, completing the commit request. 

7. The shared memory blocking system of claim 6 
wherein filtering the reserve call comprises: 

determining whether the page can be shared based on 

request parameters; and 
if the page cannot be shared, allowing the request to be 

completed; or 

if the page can be shared, tracking the reserve call by 
creating a record and entering the record into a shared 
memory list. 

8. The shared memory blocking system of claim 7 
wherein the record includes a process ID, page number and 
share count. 

9. The shared memory blocking system of claim 6 
wherein the record includes a process ID, page number and 
share count. 

10. The shared memory blocking system of claim 6 
further comprising: 

providing a call to free the memory page of all address 
spaces; 
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determining whether the process is secured by checking a 

secured process list; and 
if the process is secured, overwriting the page to delete 

secured data, and deleting all records in the shared 

memory list with a page number the same as the 

overwritten page; or 
if the process is not secured deleting all records from a 

shared memory list with a page number corresponding 

to the unsecxu-ed process page. 

11. A secured data transmission system having a receiver 
to access secured file content provided by a sender, wherein 
the receiver includes a shared memory blocking system 
wherein the system blocks shared memory by a method 
comprising: 

providing a call to reserve a memory page for a requesting 
process; 

filtering the reserve call according to whether the page can 
be shared; 

providing a call to commit the memory page for the 
requesting process or for a subsequent requesting pro- 
cess; 

filtering the commit call according to whether the page 
can be shared and whether the process can be secured; 

providing a call to free the memory page of all address 
spaces; 

determining whether the process is secured by checking a 

secured process list; and 
if the process is secured, overwriting the page to delete 

secured data, and deleting all records in the shared 

memory hst with a page number the same as the 

overwritten page; or 
if the process is not secured deleting all records from a 

shared memory list with a page number corresponding 

to the unsecured process page. 

12. The secured data transmission system of claim 11 
wherein fihering the reserve call comprises: 

determining whether the page can be shared based on 

request parameters; and 
if the page cannot be shared, allowing the request to be 

completed; or 

if the page can be shared, tracking the reserve call by 
creating a record and entering the record into a shared 
memory list. 

13. The secured data transmission system of claim 12 
wherein the record includes a process ID, page number and 
share count. 

14. The secured data transmission system of claim 11 
wherein filtering the commit call comprises: 

determining, by accessing a shared memory list, if the 
page is shared by another process; 

if the page is shared, determining whether either of the 
sharing processes are secured by accessing a secured 
process list; and 

if either process is secured, disallowing page sharing; or 

if both processes are not secured, creating a new shared 
memory record, updating the share count for processes 
sharing the page and updating the shared memory list 
Avith information contained in the new record; or if the 
page is not shared, completing the commit request. 

15. The secured data transmission system of claim 14 
wherein the record includes a process ID, page number and 
share count. 

16. A computer configured to block shared memory by a 
method comprising: 
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providing a call to reserve a memory page for a requesting 
process; 

filtering the reserve call according to whether the page can 
be shared; 

providing a call to commit the memory page for the 
requesting process or for a subsequent requesting pro- 
cess; 

filtering the commit call according to whether the page 
can be shared and whether the process can be secured; 

wherein filtering the reserve call comprises: 

determining whether the page can be shared based on 
request parameters; and 

the page cannot be shared, allowing the request to be 
completed; or 

if the page can be shared, tracking the reserve call by 
creating a record and entering the record into a shared 
memory list. 

17. The computer of claim 16 wherein the record includes 
a process ID, page number and share count. 

18. The computer of claim 16, wherein filtering the 
commit call comprises: 

determining, by accessing a shared memory list, if the 
page is shared by another process; 

if the page is shared, determining whether either of the 
sharing processes are secured by accessing a secured 
process Hst; and 

if either process is secured, disallowing page sharing; or 

if both processes are not secured, creating a new shared 
memory record, updating the share count for processes 
sharing the page and updating the shared memory list 
with information contained in the new record; or 

if the page is not shared, completing the commit request. 

19. The computer of claim 18 wherein the record includes 
a process ID, page number and share count. 

20. The computer of claim 16 further comprising: 
providing a call to free the memory page of all address 

spaces; 

determining whether the process is secured by checking a 

secured process list; and 
if the process is secured, overwriting the page to delete 

secured data, and deleting all records in the shared 

memory list with a page number the same as the 

overwritten page; or 
if the process is not secured deleting all records from a 

shared memory list with a page number corresponding 

to the unsecured process page. 

21. A computer-readable medium programmed to block 
shared memory by a method comprising: 

providing a call to reserve a memory page for a requesting 
process; 
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filtering the reserve call according to whether the page can 
be shared; 

providing a call to commit the memory page for the 
requesting process or for a subsequent requesting pro- 
cess; 

filtering the commit call according to whether the page 
can be shared and whether the process can be secured; 

wherein filtering the commit call comprises: 

determining, by accessing a shared memory list, if the 
page is shared by another process; 

if the page is shared, determining whether either of the 
sharing processes are secured by accessing a secured 
process list; and 

if either process is secured, disallowing page sharing; or 

if both processes are not secured, creating a new shared 
memory record, updating the share count for processes 
sharing the page and updating the shared memory list 
with information contained in the new record; or 

if the page is not shared, completing the commit request. 

22. The computer-readable medium of claim 21 wherein 
filtering the reserve call comprises: 

determining whether the page can be shared based on 

request parameters; and 
if the page cannot be shared, allowing the request to be 

completed; or if the page can be shared, tracking the 

reserve call by creating a record and entering the record 

into a shared memory list. 

23. The computer-readable medium of claim 22 wherein 
the record includes a process ID, page number and share 
count. 

24. The computer-readable medium of claim 21 wherein 
the record includes a process ID, page number and share 
count. 

25. The computer-readable medium of claim 21 further 
comprising: 

providing a call to firee the memory page of all address 
spaces; 

determining whether the process is secured by checking a 

secured process list; and 
if the process is secured, overwriting the page to delete 

seciued data, and deleting all records in the shared 

memory list with a page number the same as the 

overwritten page; or 
if the process is not secured deleting all records from a 

shared memory list with a page number corresponding 

to the unsecured process page. 
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